News9 July 2026

Uncloaked: WordPress Takeovers, Supabase Leaks, and a Skimmer Hiding in Plain Sight

Uncloaked: WordPress Takeovers, Supabase Leaks, and a Skimmer Hiding in Plain Sight

Uncloaked: WordPress Takeovers, Supabase Leaks, and a Skimmer Hiding in Plain Sight

Every few weeks we pull together the security stories that actually matter to people running a website, not the ones that only matter to a SOC analyst. This edition covers five, all of them tied to attack surfaces Decloak checks for on every scan.

1. A WordPress password-reset flaw let attackers take over admin accounts on 500,000 sites

In June 2026, researchers disclosed CVE-2026-8206, a critical flaw in Kirki, a WordPress page-builder and customizer plugin used on more than 500,000 sites. The bug lived in the plugin's password-reset endpoint, which accepted an attacker-supplied email address instead of using the account's actual registered one. Send a reset request for any admin username, point it at your own inbox, and the valid reset link arrives in your mailbox instead of the real admin's.

Wordfence reported blocking over 220 exploitation attempts within the first 24 hours of disclosure. No advanced exploit chain, no memory corruption, just a REST endpoint that trusted the wrong field.

Why it matters beyond WordPress specifically: this is the same class of bug we flag constantly across other CMS platforms, an authentication or authorization check that exists on paper but doesn't actually verify what it claims to. Decloak's CMS fingerprinting (Layer 1) checks your platform and installed version against known, actively-exploited CVEs like this one, so a plugin flaw like Kirki's shows up as a finding the same day it's disclosed rather than however long it takes you to notice.

2. WordPress Core itself got a critical, unauthenticated RCE

Days after the Kirki disclosure, a separate and more serious issue landed: CVE-2026-63030, an unauthenticated remote code execution vulnerability in WordPress Core's REST API batch endpoint, affecting versions 6.9.0 through 7.0.x. Unlike a plugin flaw, this one doesn't require any third-party plugin to be installed at all, just a vulnerable version of WordPress itself, publicly reachable, no login required.

Why it matters: core vulnerabilities are rarer than plugin ones but far more consequential, since almost every WordPress site runs the affected code paths by default. If you're running WordPress and haven't checked your core version this month, that's the first thing worth doing.

3. A single Supabase misconfiguration exposed 1.5 million API keys

In January 2026, a platform called Moltbook exposed roughly 1.5 million API keys, email addresses, and authentication tokens, because Row Level Security was never enabled on its Supabase database. Anyone with basic technical knowledge could query the public API directly and pull the data, no exploit required, just an HTTP request against a table that had no access rules attached to it.

This isn't an isolated case. A separate disclosure, CVE-2025-48757, documented the same root cause, missing RLS policies, across more than 170 applications built on Lovable, with one incident alone leaking 13,000 users' data.

Why it matters: we wrote about this exact failure mode in detail in a previous post, and it remains the single most common finding in apps built with AI tools. Supabase has since started rolling out a default-secure setting, new tables will no longer be exposed to the Data API automatically unless explicitly opted in, which should meaningfully reduce this class of incident over time. Existing projects aren't covered until the change reaches them later in 2026, so it's worth checking your own setup now rather than waiting. Decloak's platform layer (Layer 10) checks for exactly this, whether your Supabase tables are readable via the public anon key, on every scan.

4. A card-skimming campaign is hiding inside Google Tag Manager

Security researchers tracking a threat actor known as ATMZOW documented an active campaign in which attackers gain access to a site's Google Tag Manager account and inject a card-skimming script disguised as a normal GTM tag. Because the malicious code loads from the trusted googletagmanager.com domain, it sails past most web application firewalls and client-side integrity checks, which are generally configured to trust anything coming from Google's own infrastructure.

The skimmer's payload is deliberately fragile by design, its decoder breaks if a single character of the script changes, which makes it resistant to automated signature-based detection. When Google removes one malicious container after abuse reports, the group has repeatedly stood up a replacement within days.

Why it matters: this is precisely the blind spot a lot of security tooling has, trusting a script because of where it's loaded from rather than what it actually does. Decloak's tag manager layer (Layer 5) flags GTM containers firing requests to unrecognised or recently-registered domains, regardless of how trusted the loading mechanism looks on the surface.

5. Six WordPress plugin CVEs, all critical, all actively exploited, in the same month

Zooming out: June 2026 saw six separate WordPress plugin vulnerabilities, all rated CVSS 9.8, all under active exploitation simultaneously. Between Kirki, a cache plugin, and several others, security researchers described it as an unprecedented clustering of critical, actively-exploited plugin bugs hitting at the same time.

Why it matters: if your site runs WordPress, or any CMS with a large plugin ecosystem, "we'll patch it when we notice" is no longer a viable strategy on its own. The gap between disclosure and active exploitation is now measured in hours, not weeks.

The pattern across all five

None of these are exotic. A password-reset endpoint that trusts the wrong input. A database with no access rules attached to it. A trusted script slot used to smuggle in something that isn't trustworthy. The common thread is that every one of them was discoverable before it was exploited, not through a sophisticated audit, but through the kind of automated check that takes fifteen seconds to run.


Sources: Bleeping Computer on the Kirki vulnerability · Rapid7 on CVE-2026-63030 · Bastion on the Moltbook/Supabase incident · byteiota on CVE-2025-48757 · Reflectiz on the ATMZOW skimmer · adyog on June 2026's WordPress vulnerability cluster

Decloak checks your CMS version against known CVEs, your Supabase configuration, and your tag manager containers automatically, alongside five other attack surfaces, in a free 15-second scan. Scan your site free →